From 8eeb87e6acf8bae4bb621128865d4ee4edd20dcf Mon Sep 17 00:00:00 2001 From: Amos Jeffries Date: Mon, 5 Jul 2010 21:59:15 +1200 Subject: [PATCH] Update negotiate SSPI helper --- configure.in | 2 +- doc/release-notes/release-3.2.sgml | 1 + helpers/negotiate_auth/Makefile.am | 2 +- helpers/negotiate_auth/SSPI/Makefile.am | 13 +++ .../{mswin_sspi => SSPI}/config.test | 0 .../negotiate_sspi_auth.cc} | 83 +++++--------- .../{mswin_sspi => SSPI}/readme.txt | 0 helpers/negotiate_auth/mswin_sspi/Makefile.am | 23 ---- .../mswin_sspi/libnegotiatessp.c | 81 ------------- helpers/negotiate_auth/mswin_sspi/negotiate.h | 106 ------------------ mksnapshot.sh | 2 +- 11 files changed, 48 insertions(+), 265 deletions(-) create mode 100644 helpers/negotiate_auth/SSPI/Makefile.am rename helpers/negotiate_auth/{mswin_sspi => SSPI}/config.test (100%) rename helpers/negotiate_auth/{mswin_sspi/negotiate_auth.c => SSPI/negotiate_sspi_auth.cc} (84%) rename helpers/negotiate_auth/{mswin_sspi => SSPI}/readme.txt (100%) delete mode 100644 helpers/negotiate_auth/mswin_sspi/Makefile.am delete mode 100644 helpers/negotiate_auth/mswin_sspi/libnegotiatessp.c delete mode 100644 helpers/negotiate_auth/mswin_sspi/negotiate.h diff --git a/configure.in b/configure.in index 92a82cd8c9..c9071bd668 100644 --- a/configure.in +++ b/configure.in @@ -3826,7 +3826,7 @@ AC_CONFIG_FILES([\ helpers/ntlm_auth/SSPI/Makefile \ helpers/negotiate_auth/Makefile \ helpers/negotiate_auth/kerberos/Makefile \ - helpers/negotiate_auth/mswin_sspi/Makefile \ + helpers/negotiate_auth/SSPI/Makefile \ helpers/external_acl/Makefile \ helpers/external_acl/ip_user/Makefile \ helpers/external_acl/ldap_group/Makefile \ diff --git a/doc/release-notes/release-3.2.sgml b/doc/release-notes/release-3.2.sgml index 4c2f92f26b..247cd40c44 100644 --- a/doc/release-notes/release-3.2.sgml +++ b/doc/release-notes/release-3.2.sgml @@ -118,6 +118,7 @@ Most user-facing changes are reflected in squid.conf (see below). Negotiate Authentication protocol helpers

+ mswin_sspi - negotiate_sspi_auth - Authenticate with a Windows Domain Controller using SSPI. squid_kerb_auth - negotiate_kerberos_auth - Authenticate with Kerberos servers. diff --git a/helpers/negotiate_auth/Makefile.am b/helpers/negotiate_auth/Makefile.am index 8b6c10e991..8350ac5758 100644 --- a/helpers/negotiate_auth/Makefile.am +++ b/helpers/negotiate_auth/Makefile.am @@ -1,3 +1,3 @@ -DIST_SUBDIRS = mswin_sspi kerberos +DIST_SUBDIRS = kerberos SSPI SUBDIRS = $(NEGOTIATE_AUTH_HELPERS) diff --git a/helpers/negotiate_auth/SSPI/Makefile.am b/helpers/negotiate_auth/SSPI/Makefile.am new file mode 100644 index 0000000000..c54cfb449a --- /dev/null +++ b/helpers/negotiate_auth/SSPI/Makefile.am @@ -0,0 +1,13 @@ +include $(top_srcdir)/src/Common.am + +libexec_PROGRAMS = negotiate_sspi_auth + +negotiate_sspi_auth_SOURCES = negotiate_sspi_auth.cc + +LDADD = \ + -L$(top_builddir)/lib -lsspwin32 \ + $(COMPAT_LIB) \ + -ladvapi32 \ + $(XTRA_LIBS) + +EXTRA_DIST = readme.txt config.test diff --git a/helpers/negotiate_auth/mswin_sspi/config.test b/helpers/negotiate_auth/SSPI/config.test similarity index 100% rename from helpers/negotiate_auth/mswin_sspi/config.test rename to helpers/negotiate_auth/SSPI/config.test diff --git a/helpers/negotiate_auth/mswin_sspi/negotiate_auth.c b/helpers/negotiate_auth/SSPI/negotiate_sspi_auth.cc similarity index 84% rename from helpers/negotiate_auth/mswin_sspi/negotiate_auth.c rename to helpers/negotiate_auth/SSPI/negotiate_sspi_auth.cc index e9e73746a7..8e6db8c5ac 100644 --- a/helpers/negotiate_auth/mswin_sspi/negotiate_auth.c +++ b/helpers/negotiate_auth/SSPI/negotiate_sspi_auth.cc @@ -1,6 +1,5 @@ - /* - * mswin_negotiate_auth: helper for Negotiate Authentication for Squid Cache + * negotiate_sspi_auth: helper for Negotiate Authentication for Squid Cache * * (C)2005 Guido Serassio - Acme Consulting S.r.l. * @@ -37,53 +36,37 @@ * * */ - +#include "config.h" +#include "helpers/defines.h" +#include "libntlmauth/support_bits.cci" +#include "sspwin32.h" #include "util.h" + +#include +#include +#include #if HAVE_GETOPT_H #include #endif -#include "negotiate.h" #if HAVE_CTYPE_H #include #endif -#define BUFFER_SIZE 10240 - -int debug_enabled = 0; int Negotiate_packet_debug_enabled = 0; - static int have_serverblob; -/* makes a null-terminated string upper-case. Changes CONTENTS! */ -void -uc(char *string) -{ - char *p = string, c; - while ((c = *p)) { - *p = xtoupper(c); - p++; - } -} - -/* makes a null-terminated string lower-case. Changes CONTENTS! */ -static void -lc(char *string) -{ - char *p = string, c; - while ((c = *p)) { - *p = xtolower(c); - p++; - } -} - -void -helperfail(const char *reason) -{ -#if FAIL_DEBUG - fail_debug_enabled = 1; +/* A couple of harmless helper macros */ +#define SEND(X) debug("sending '%s' to squid\n",X); printf(X "\n"); +#ifdef __GNUC__ +#define SEND2(X,Y...) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y); +#define SEND3(X,Y...) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y); +#else +/* no gcc, no debugging. varargs macros are a gcc extension */ +#define SEND2(X,Y) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y); +#define SEND3(X,Y,Z) debug("sending '" X "' to squid\n",Y,Z); printf(X "\n",Y,Z); #endif - SEND2("BH %s", reason); -} + +char *negotiate_check_auth(SSP_blobP auth, int auth_length); /* * options: @@ -103,7 +86,6 @@ usage() my_program_name); } - void process_options(int argc, char *argv[]) { @@ -126,7 +108,7 @@ process_options(int argc, char *argv[]) opt = optopt; /* fall thru to default */ default: - fprintf(stderr, "unknown option: -%c. Exiting\n", opt); + fprintf(stderr, "ERROR: unknown option: -%c. Exiting\n", opt); usage(); had_error = 1; } @@ -138,7 +120,7 @@ process_options(int argc, char *argv[]) int manage_request() { - char buf[BUFFER_SIZE]; + char buf[HELPER_INPUT_BUFFER]; char helper_command[3]; char *c, *decoded; int plen, status; @@ -148,14 +130,14 @@ manage_request() BOOL Done = FALSE; try_again: - if (fgets(buf, BUFFER_SIZE, stdin) == NULL) + if (fgets(buf, HELPER_INPUT_BUFFER, stdin)) return 0; - c = memchr(buf, '\n', BUFFER_SIZE); /* safer against overrun than strchr */ + c = memchr(buf, '\n', HELPER_INPUT_BUFFER); /* safer against overrun than strchr */ if (c) { if (oversized) { - helperfail("illegal request received"); - fprintf(stderr, "Illegal request received: '%s'\n", buf); + SEND("BH illegal request received"); + fprintf(stderr, "ERROR: Illegal request received: '%s'\n", buf); return 1; } *c = '\0'; @@ -214,12 +196,12 @@ try_again: have_serverblob = 1; } } else - helperfail("can't obtain server blob"); + SEND("BH can't obtain server blob"); return 1; } if (memcmp(buf, "KK ", 3) == 0) { /* authenticate-request */ if (!have_serverblob) { - helperfail("invalid server blob"); + SEND("BH invalid server blob"); return 1; } /* figure out what we got */ @@ -236,9 +218,6 @@ try_again: c = (char *) SSP_ValidateNegotiateCredentials(decoded, plen, &Done, &status, cred); if (status == SSP_ERROR) { -#if FAIL_DEBUG - fail_debug_enabled = 1; -#endif FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, NULL, @@ -283,11 +262,11 @@ try_again: } } else { /* not an auth-request */ - helperfail("illegal request received"); + SEND("BH illegal request received"); fprintf(stderr, "Illegal request received: '%s'\n", buf); return 1; } - helperfail("detected protocol error"); + SEND("BH detected protocol error"); return 1; /********* END ********/ } @@ -302,7 +281,7 @@ main(int argc, char *argv[]) debug("%s build " __DATE__ ", " __TIME__ " starting up...\n", my_program_name); if (LoadSecurityDll(SSP_NTLM, NEGOTIATE_PACKAGE_NAME) == NULL) { - fprintf(stderr, "FATAL, can't initialize SSPI, exiting.\n"); + fprintf(stderr, "FATAL: %s: can't initialize SSPI, exiting.\n", argv[0]); exit(1); } debug("SSPI initialized OK\n"); diff --git a/helpers/negotiate_auth/mswin_sspi/readme.txt b/helpers/negotiate_auth/SSPI/readme.txt similarity index 100% rename from helpers/negotiate_auth/mswin_sspi/readme.txt rename to helpers/negotiate_auth/SSPI/readme.txt diff --git a/helpers/negotiate_auth/mswin_sspi/Makefile.am b/helpers/negotiate_auth/mswin_sspi/Makefile.am deleted file mode 100644 index 0f310518f4..0000000000 --- a/helpers/negotiate_auth/mswin_sspi/Makefile.am +++ /dev/null @@ -1,23 +0,0 @@ -# -# Makefile for the Squid Object Cache server -# -# $Id$ -# - -include $(top_srcdir)/src/Common.am - -## we need our local files too (but avoid -I. at all costs) -INCLUDES += -I$(srcdir) - - -libexec_PROGRAMS = mswin_negotiate_auth - -mswin_negotiate_auth_SOURCES = libnegotiatessp.c negotiate_auth.c negotiate.h - -LDADD = \ - -L$(top_builddir)/lib -lsspwin32 \ - $(COMPAT_LIB) \ - -ladvapi32 \ - $(XTRA_LIBS) - -EXTRA_DIST = readme.txt config.test diff --git a/helpers/negotiate_auth/mswin_sspi/libnegotiatessp.c b/helpers/negotiate_auth/mswin_sspi/libnegotiatessp.c deleted file mode 100644 index 7d40a8b667..0000000000 --- a/helpers/negotiate_auth/mswin_sspi/libnegotiatessp.c +++ /dev/null @@ -1,81 +0,0 @@ -/* - * (C) 2005 Guido Serassio - * Based on previous work of Francesco Chemolli and Robert Collins - * Distributed freely under the terms of the GNU General Public License, - * version 2. See the file COPYING for licensing details - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. - */ - -typedef unsigned char uchar; - -#include "util.h" -#include "negotiate.h" -#if HAVE_CTYPE_H -#include -#endif - -void -hex_dump(void *data, int size) -{ - /* dumps size bytes of *data to stdout. Looks like: - * [0000] 75 6E 6B 6E 6F 77 6E 20 - * 30 FF 00 00 00 00 39 00 unknown 0.....9. - * (in a single line of course) - */ - - if (!data) - return; - - if (debug_enabled) { - unsigned char *p = data; - unsigned char c; - int n; - char bytestr[4] = {0}; - char addrstr[10] = {0}; - char hexstr[16 * 3 + 5] = {0}; - char charstr[16 * 1 + 5] = {0}; - for (n = 1; n <= size; n++) { - if (n % 16 == 1) { - /* store address for this line */ - snprintf(addrstr, sizeof(addrstr), "%.4x", - ((unsigned int) p - (unsigned int) data)); - } - c = *p; - if (xisalnum(c) == 0) { - c = '.'; - } - /* store hex str (for left side) */ - snprintf(bytestr, sizeof(bytestr), "%02X ", *p); - strncat(hexstr, bytestr, sizeof(hexstr) - strlen(hexstr) - 1); - - /* store char str (for right side) */ - snprintf(bytestr, sizeof(bytestr), "%c", c); - strncat(charstr, bytestr, sizeof(charstr) - strlen(charstr) - 1); - - if (n % 16 == 0) { - /* line completed */ - fprintf(stderr, "[%4.4s] %-50.50s %s\n", addrstr, hexstr, charstr); - hexstr[0] = 0; - charstr[0] = 0; - } else if (n % 8 == 0) { - /* half line: add whitespaces */ - strncat(hexstr, " ", sizeof(hexstr) - strlen(hexstr) - 1); - strncat(charstr, " ", sizeof(charstr) - strlen(charstr) - 1); - } - p++; /* next byte */ - } - - if (strlen(hexstr) > 0) { - /* print rest of buffer if not empty */ - fprintf(stderr, "[%4.4s] %-50.50s %s\n", addrstr, hexstr, charstr); - } - } -} diff --git a/helpers/negotiate_auth/mswin_sspi/negotiate.h b/helpers/negotiate_auth/mswin_sspi/negotiate.h deleted file mode 100644 index e04aa06aaa..0000000000 --- a/helpers/negotiate_auth/mswin_sspi/negotiate.h +++ /dev/null @@ -1,106 +0,0 @@ -/* - * (C) 2005 Guido Serassio - * Based on previous work of Francesco Chemolli, Robert Collins and Andrew Doran - * - * Distributed freely under the terms of the GNU General Public License, - * version 2. See the file COPYING for licensing details - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. - */ - -#ifndef _NEGOTIATE_H_ -#define _NEGOTIATE_H_ - -#include "sspwin32.h" -#include -#include -#include -#undef debug - -/************* CONFIGURATION ***************/ -/* - * define this if you want debugging - */ -#ifndef DEBUG -#define DEBUG -#endif - -#define FAIL_DEBUG 0 - -/************* END CONFIGURATION ***************/ - -#include - -extern int debug_enabled; -#if FAIL_DEBUG -extern int fail_debug_enabled; -#endif - -/* Debugging stuff */ - -#ifdef __GNUC__ /* this is really a gcc-ism */ -#ifdef DEBUG -#include -#include -static char *__foo; -#define debug(X...) if (debug_enabled) { \ - fprintf(stderr,"ntlm-auth[%d](%s:%d): ", getpid(), \ - ((__foo=strrchr(__FILE__,'/'))==NULL?__FILE__:__foo+1),\ - __LINE__);\ - fprintf(stderr,X); } -#else /* DEBUG */ -#define debug(X...) /* */ -#endif /* DEBUG */ -#else /* __GNUC__ */ -static void -debug(char *format,...) -{ -#ifdef DEBUG -#ifdef _SQUID_MSWIN_ -#if FAIL_DEBUG - if (debug_enabled || fail_debug_enabled) { -#else -if (debug_enabled) { -#endif - va_list args; - - va_start(args,format); - fprintf(stderr, "negotiate-auth[%d]: ",getpid()); - vfprintf(stderr, format, args); - va_end(args); -#if FAIL_DEBUG - fail_debug_enabled = 0; -#endif - } -#endif /* _SQUID_MSWIN_ */ -#endif /* DEBUG */ -} -#endif /* __GNUC__ */ - - -/* A couple of harmless helper macros */ -#define SEND(X) debug("sending '%s' to squid\n",X); printf(X "\n"); -#ifdef __GNUC__ -#define SEND2(X,Y...) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y); -#define SEND3(X,Y...) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y); -#else -/* no gcc, no debugging. varargs macros are a gcc extension */ -#define SEND2(X,Y) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y); -#define SEND3(X,Y,Z) debug("sending '" X "' to squid\n",Y,Z); printf(X "\n",Y,Z); -#endif - -extern void uc(char *); - -extern char *negotiate_check_auth(SSP_blobP auth, int auth_length); -extern void hex_dump(void *, int); - -#define safe_free(x) if (x) { free(x); x = NULL; } - -#endif /* _NEGOTIATE_H_ */ diff --git a/mksnapshot.sh b/mksnapshot.sh index d824f6d73f..508dd4ff17 100755 --- a/mksnapshot.sh +++ b/mksnapshot.sh @@ -118,7 +118,7 @@ if (groff --help >/dev/null); then for f in `ls -1 ${tmpdir}/doc/manuals/*.1 ${tmpdir}/doc/manuals/*.8 2>/dev/null` ; do cat ${f} | groff -E -Thtml -mandoc >${f}.html done - sh -c "cd ${tmpdir}/doc/manuals && tar -zcf $PWD/${PACKAGE}-${VERSION}-${date}-manuals.tar.gz *.html *.1 *.8" + sh -c "cd ${tmpdir}/doc/manuals && tar -zcf ${PWD}/${PACKAGE}-${VERSION}-${date}-manuals.tar.gz *.html *.1 *.8" echo ${PACKAGE}-${VERSION}-${date}-manuals.tar.gz >>${tag}.out fi -- 2.47.3